Securing sensitive information in a network cloud

ABSTRACT

Implementation of a secure network may be provided by analyzing packet traffic for sensitive information. Network processing elements found to be processing sensitive information may be classified as needing higher security. The classified network processing elements may be moved into a group of secure network processing elements.

RELATED APPLICATIONS

The present continuation application claims the benefit of priority ofU.S. patent application Ser. No. 13/742,214, filed Jan. 15, 2013, whichapplication is incorporated herein by reference in its entirety.

BACKGROUND

The present invention relates to network implementation, and morespecifically, to a secure cloud implementation.

In a cloud-server network environment there can be different kinds ofservers, for example web servers at the front-end, compute servers,database servers, and storage servers. Some of the servers handleconfidential and sensitive data, for example credit card information,social security records, health care information, etc. Other serverswithin data center may handle other non-sensitive information. Networksmay be set up with the aim to ensure that sensitive and confidentialdata are secure and will not be exposed to breaches. In a dynamicvirtualized data center, it may be difficult to group all the servershandling confidential data together and dynamically secure them.Sometimes the sensitive data is known to some of the servers while notknown to other servers in the network. The sensitive data might bestored on the compute servers but might not be on the storage ordatabase servers. Sometimes data needs to be shared with some serversbut not with the other servers.

SUMMARY

According to one embodiment of the present invention, a computer programproduct for securing sensitive information in a network, comprises acomputer readable storage medium having computer readable program codeembodied therewith. The computer readable program code is configured toidentify one or more network processing elements as elements processingnetwork traffic, analyze packets through the identified networkprocessing elements for sensitive information, classify selected membersof the identified network processing elements as elements processingsensitive information, and move the classified selected members into asecure group of network processing elements.

According to another embodiment of the present invention, a networksystem comprises a plurality network processing elements. A controllermay be coupled to the plurality of networking processing elements. Thecontroller may be configured to analyze packets, for sensitiveinformation, passing through the plurality of network processingelements, classify selected members of the plurality of networkprocessing elements as elements processing sensitive information, andmove the classified selected members into a closed user group (CUG) ofnetwork processing elements.

According to yet another embodiment of the present invention, a methodof securing a network comprises identifying one or more networkprocessing elements that are processing network traffic. Packets passingthrough the identified network processing elements may be analyzed forsensitive information. Selected members of the identified networkprocessing elements may be classified as processing sensitiveinformation. The classified selected members may be moved into a closeduser group (CUG) of network processing elements.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 depicts a cloud computing node according to an embodiment of thepresent invention.

FIG. 2 depicts a cloud computing environment according to anotherembodiment of the present invention.

FIG. 3 depicts abstraction model layers according to yet anotherembodiment of the present invention.

FIG. 4 is a block diagram of a system according to still anotherembodiment of the present invention.

FIG. 5 is a block diagram of a kernel level module used in the system ofFIG. 4.

FIG. 6 is a block diagram showing the movement of network processingelements of FIG. 4.

FIG. 6A is a block diagram showing the movement of network processingelements into a closed user group in the system of FIG. 4.

FIG. 7 is a flowchart of a method of securing a network according to yetanother embodiment of the present invention.

DETAILED DESCRIPTION

It is understood in advance that although this disclosure includes adetailed description on cloud computing, implementation of the teachingsrecited herein are not limited to a cloud computing environment. Rather,embodiments of the present invention are capable of being implemented inconjunction with any other type of computing environment now known orlater developed.

Cloud computing is a model of service delivery for enabling convenient,on-demand network access to a shared pool of configurable computingresources (e.g. networks, network bandwidth, servers, processing,memory, storage, applications, virtual machines, and services) that canbe rapidly provisioned and released with minimal management effort orinteraction with a provider of the service. This cloud model may includeat least five characteristics, at least three service models, and atleast four deployment models.

Characteristics may include:

On-demand self-service: a cloud consumer can unilaterally provisioncomputing capabilities, such as server time and network storage, asneeded, automatically, without requiring human interaction with theservice's provider.

Broad network access: capabilities are available over a network andaccessed through standard mechanisms that promote use by heterogeneousthin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

Cloud Software as a Service (SaaS): the capability provided to theconsumer may be to use the provider's applications running on cloudinfrastructure. The applications may be accessible from various clientdevices through a thin client interface such as a web browser (e.g.,web-based email). The consumer need not necessarily manage or controlthe underlying cloud infrastructure including network, servers,operating systems, storage, or even individual application capabilities,with the possible exception of limited user-specific applicationconfiguration settings.

Resource pooling: the provider's computing resources may be pooled toserve multiple consumers using a multi-tenant model, with differentphysical and virtual resources dynamically assigned and reassignedaccording to demand. There is a sense of location independence in thatthe consumer generally has no control or knowledge over the exactlocation of the provided resources, but may be able to specify locationat a higher level of abstraction (e.g., country, state, or datacenter).

Rapid elasticity: capabilities may be rapidly and elasticallyprovisioned, in some cases automatically to quickly scale out, and maybe rapidly released to quickly scale in. To the consumer, thecapabilities available for provisioning often appear to be unlimited andcan be purchased in any quantity at any time.

As will be appreciated by one skilled in the art, aspects of the presentinvention may be embodied as a system, method or process, or computerprogram product. Accordingly, aspects of the present invention may takethe form of an entirely hardware embodiment, an entirely softwareembodiment (including firmware, resident software, micro-code, etc.) oran embodiment combining software and hardware aspects that may allgenerally be referred to herein as a “circuit,” “module,” or “system.”Furthermore, aspects of the present invention may take the form of acomputer program product embodied in one or more computer readable mediahaving computer readable program code embodied thereon.

Any combination of one or more computer readable media may be utilized.The computer readable medium may be a computer readable signal medium ora computer readable storage medium. A computer readable storage mediummay be, for example, but not limited to, an electronic, magnetic,optical, electromagnetic, infrared, or semiconductor system, apparatus,or device, or any suitable combination of the foregoing. More specificexamples (a non-exhaustive list) of the computer readable storage mediumwould include the following: an electrical connection having one or morewires, a portable computer diskette, a hard disk, a random access memory(RAM), a read-only memory (ROM), an erasable programmable read-onlymemory (EPROM or Flash memory), an optical fiber, a portable compactdisc read-only memory (CD-ROM), an optical storage device, a magneticstorage device, or any suitable combination of the foregoing. In thecontext of this document, a computer readable storage medium may be anytangible medium that can contain, or store a program for use by or inconnection with an instruction execution system, apparatus, or device.

A computer readable signal medium may include a propagated data signalwith computer readable program code embodied therein, for example, inbaseband or as part of a carrier wave. Such a propagated signal may takeany of a variety of forms, including, but not limited to,electro-magnetic, optical, or any suitable combination thereof. Acomputer readable signal medium may be any computer readable medium thatis not a computer readable storage medium and that can communicate,propagate, or transport a program for use by or in connection with aninstruction execution system, apparatus, or device.

Program code embodied on a computer readable medium may be transmittedusing any appropriate medium, including but not limited to wireless,wireline, optical fiber cable, RF, etc., or any suitable combination ofthe foregoing.

Computer program code for carrying out operations for aspects of thepresent invention may be written in any combination of one or moreprogramming languages, including an object oriented programming languagesuch as Java, Smalltalk, C++ or the like and conventional proceduralprogramming languages, such as the “C” programming language or similarprogramming languages. The program code may execute entirely on theuser's computer, partly on the user's computer, as a stand-alonesoftware package, partly on the user's computer and partly on a remotecomputer or entirely on the remote computer or server. In the latterscenario, the remote computer may be connected to the user's computerthrough any type of network, including a local area network (LAN) or awide area network (WAN), or the connection may be made to an externalcomputer (for example, through the Internet using an Internet ServiceProvider).

Aspects of the present invention are described below with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems) and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer program instructions. These computer program instructions maybe provided to a processor of a general purpose computer, specialpurpose computer, or other programmable data processing apparatus toproduce a machine, such that the instructions, which execute via theprocessor of the computer or other programmable data processingapparatus, create means for implementing the functions/acts specified inthe flowchart and/or block diagram block or blocks.

These computer program instructions may also be stored in a computerreadable medium that can direct a computer, other programmable dataprocessing apparatus, or other devices to function in a particularmanner, such that the instructions stored in the computer readablemedium produce an article of manufacture including instructions whichimplement the function/act specified in the flowchart and/or blockdiagram block or blocks.

The computer program instructions may also be loaded onto a computer,other programmable data processing apparatus, or other devices to causea series of operational steps to be performed on the computer, otherprogrammable apparatus or other devices to produce a computerimplemented process such that the instructions which execute on thecomputer or other programmable apparatus provide processes forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks.

Referring now to FIG. 1, a schematic of an example of a cloud computingnode 10 is shown. The cloud computing node 10 illustrated is only oneexample of a suitable cloud computing node and is not intended tosuggest any limitation as to the scope of use or functionality ofembodiments of the invention described herein. Regardless, the cloudcomputing node 10 is capable of being implemented and/or performing anyof the functionality set forth hereinabove.

In the cloud computing node 10 there is a computer system/server 12,which is operational with numerous other general purpose or specialpurpose computing system environments or configurations. Examples ofwell-known computing systems, environments, and/or configurations thatmay be suitable for use with the computer system/server 12 include, butare not limited to, personal computer systems, server computer systems,thin clients, thick clients, handheld or laptop devices, multiprocessorsystems, microprocessor-based systems, set top boxes, programmableconsumer electronics, network PCs, minicomputer systems, mainframecomputer systems, and distributed cloud computing environments thatinclude any of the above systems or devices, and the like.

The computer system/server 12 may be described in the general context ofcomputer system executable instructions, such as program modules, beingexecuted by a computer system. Generally, program modules may includeroutines, programs, objects, components, logic, data structures, and soon that perform particular tasks or implement particular abstract datatypes. The computer system/server 12 may be practiced in distributedcloud computing environments where tasks are performed by remoteprocessing devices that are linked through a communications network. Ina distributed cloud computing environment, program modules may belocated in both local and remote computer system storage media includingmemory storage devices.

As shown in FIG. 1, a computer system/server 12 in the cloud computingnode 10 is shown in the form of a general-purpose computing device. Thecomponents of the computer system/server 12 may include, but are notlimited to, one or more processors or processing units 16, a systemmemory 28, and a bus 18 that couples various system components includingthe system memory 28 to the processor 16.

The bus 18 represents one or more of any of several types of busstructures, including a memory bus or memory controller, a peripheralbus, an accelerated graphics port, and a processor or local bus usingany of a variety of bus architectures. By way of example, and notlimitation, such architectures include Industry Standard Architecture(ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA)bus, Video Electronics Standards Association (VESA) local bus, andPeripheral Component Interconnects (PCI) bus.

The computer system/server 12 may typically include a variety ofcomputer system readable media. Such media could be chosen from anyavailable media that is accessible by computer system/server 12,including volatile and non-volatile media, removable and non-removablemedia.

The system memory 28 could include one or more computer system readablemedia in the form of volatile memory, such as a random access memory(RAM) 30 and/or a cache memory 32. The computer system/server 12 mayfurther include other removable/non-removable, volatile/non-volatilecomputer system storage media. By way of example only, a storage system34 can be provided for reading from and writing to a non-removable,non-volatile magnetic media device typically called a “hard drive” (notshown). Although not shown, a magnetic disk drive for reading from andwriting to a removable, non-volatile magnetic disk (e.g., a “floppydisk”), and an optical disk drive for reading from or writing to aremovable, non-volatile optical disk such as a CD-ROM, DVD-ROM or otheroptical media could be provided. In such instances, each can beconnected to the bus 18 by one or more data media interfaces. As will befurther depicted and described below, the system memory 28 may includeat least one program product having a set (e.g., at least one) ofprogram modules that are configured to carry out the functions ofembodiments of the invention.

A program/utility 40, having a set (at least one) of program modules 42,may be stored in the system memory 28 by way of example, and notlimitation, as well as an operating system, one or more applicationprograms, other program modules, and program data. Each of the operatingsystem, one or more application programs, other program modules, andprogram data or some combination thereof, may include an implementationof a networking environment. The program modules 42 generally carry outthe functions and/or methodologies of embodiments of the invention asdescribed herein.

The computer system/server 12 may also communicate with one or moreexternal devices 14 such as a keyboard, a pointing device, a display 24,etc.; one or more devices that enable a user to interact with thecomputer system/server 12; and/or any devices (e.g., network card,modem, etc.) that enable the computer system/server 12 to communicatewith one or more other computing devices. Such communication can occurvia Input/Output (110) interfaces 22. Alternatively, the computersystem/server 12 can communicate with one or more networks such as alocal area network (LAN), a general wide area network (WAN), and/or apublic network (e.g., the Internet) via a network adapter 20. Asdepicted, the network adapter 20 may communicate with the othercomponents of computer system/server 12 via the bus 18. It should beunderstood that although not shown, other hardware and/or softwarecomponents could be used in conjunction with the computer system/server12. Examples, include, but are not limited to: microcode, devicedrivers, redundant processing units, external disk drive arrays, RAIDsystems, tape drives, and data archival storage systems, etc.

Referring now to FIG. 2, an illustrative cloud computing environment 50is depicted. As shown, the cloud computing environment 50 comprises oneor more cloud computing nodes 10 with which local computing devices usedby cloud consumers, such as, for example, a personal digital assistant(PDA) or a cellular telephone 54A, desktop computer 54B, laptop computer54C, and/or a automobile computer system 54N, may communicate. The nodes10 may communicate with one another. They may be grouped physically orvirtually, in one or more networks, such as Private, Community, Public,or Hybrid clouds as described hereinabove, or a combination thereof.This allows cloud the computing environment 50 to offer infrastructure,platforms, and/or software as services for which a cloud consumer doesnot need to maintain resources on a local computing device. It isunderstood that the types of computing devices 54A-N shown in FIG. 2 areintended to be illustrative only and that the computing nodes 10 and thecloud computing environment 50 can communicate with any type ofcomputerized device over any type of network and/or network addressableconnection (e.g., using a web browser).

Referring now to FIG. 3, a set of functional abstraction layers providedby the cloud computing environment 50 (FIG. 2) is shown. It should beunderstood in advance that the components, layers, and functions shownin FIG. 3 are intended to be illustrative only and embodiments of theinvention are not limited thereto. As depicted, the following layers andcorresponding functions are provided:

A hardware and software layer 60 may include hardware and softwarecomponents. Examples of hardware components include mainframes, in oneexample IBM® zSeries® systems; RISC (Reduced Instruction Set Computer)architecture based servers, in one example IBM pSeries® systems; IBMxSeries® systems; IBM BladeCenter® systems; storage devices; networksand networking components. Examples of software components includenetwork application server software, in one example IBM WebSphere®application server software; and database software, in one example IBMDB2® database software. (IBM, zSeries, pSeries, xSeries, BladeCenter,WebSphere, and DB2 are trademarks of International Business MachinesCorporation registered in many jurisdictions worldwide).

A virtualization layer 62 provides an abstraction layer from which thefollowing examples of virtual entities may be provided: virtual servers;virtual storage; virtual networks, including virtual private networks;virtual applications and operating systems; and virtual clients.

In one example, a management layer 64 may provide the functionsdescribed below. Resource provisioning provides dynamic procurement ofcomputing resources and other resources that are utilized to performtasks within the cloud computing environment. Metering and Pricingprovide cost tracking as resources are utilized within the cloudcomputing environment, and billing or invoicing for consumption of theseresources. In one example, these resources may comprise applicationsoftware licenses. Security provides identity verification for cloudconsumers and tasks, as well as protection for data and other resources.User portal provides access to the cloud computing environment forconsumers and system administrators. Service level management providescloud computing resource allocation and management such that requiredservice levels are met. Service Level Agreement (SLA) planning andfulfillment provide pre-arrangement for, and procurement of, cloudcomputing resources for which a future requirement is anticipated inaccordance with an SLA.

A workloads layer 66 may provide functionality for which the cloudcomputing environment may be utilized. Examples of workloads andfunctions which may be provided from this layer include: mapping andnavigation; software development and lifecycle management; virtualclassroom education delivery; data analytics processing; transactionprocessing; and secure cloud network implementation.

Referring now to FIG. 4, a cloud network system 100 (referred to simplyas the system 100 hereinafter) is shown according to an exemplaryembodiment of the present invention. The system 100 may include a frontend 101 comprising, for example, a web server 110. Virtualized datacenters or clouds may have multiple physical servers, each with ahypervisor which provides server resource virtualization. The system 100may include a cloud environment 105. The cloud environment 105 mayinclude multiple network processing elements 103, for example a computeserver 120, a database server 130, a storage server 140. Each computeentity on the hypervisor may be called a virtual machine (VM) 165. Eachhypervisor may have a virtual switching module called a vSwitch whichmay facilitate for all the VMs hosted on a particular hypervisor thetransmission and receipt of packets between each other or outside theserver. The virtual switching module may interact with the hypervisorand may provide the switching functionality to all the VMs of thathypervisor. Inside the cloud environment 105, there may be multiplevirtual switching modules since there are multiple hypervisors. Thevirtual switching module may be managed centrally via a controller. Thecontroller may configure access or control functionality of the virtualswitching modules. An example of control functionality may include anaccess control list (ACL) module which may be actively used for a securecloud mechanism.

Sensitive data, for example social security numbers, credit cardnumbers, personal identification codes, etc. may usually be sent to andfrom the servers using XML schemas and may access SQL data bases hostedby database software. An example of an XML function that may be employedincluding a data format for social security numbers is shown in Table 1.

TABLE 1 DECLARE @xml XMLSET @xml = ‘<SSNList><SSN><![CDATA[**<-=]]></SSN><SSN><![CDATA[**<-=]]></SSN></SSNList>’ select x.y.query(‘.’) from@xml.nodes(‘SSNList/SSN’) x(y) select x.y.value(‘.’, ‘NVARCHAR(MAX)’)from @xml.nodes(‘SSNList/SSN’) x(y)

FIG. 5 shows a kernel level module 200 of a virtual switching modulefunctionality. FIG. 6 shows a block diagram depicting the movement ofnetwork processing elements in securing a network 105. With reference toFIGS. 5 and 6, a packet function chain 210 may send and receive packetsbetween virtual interfaces and the hypervisor. A feature set module 220may contains functionality and features implemented to process thepackets. The feature set module 220 may include for example, an accesscontrol list (ACL) module 230 and a security extension module 240.

In an exemplary embodiment, deep packet inspection may be needed toclassify each packet travelling through the network 105. The securitylevel of the packet payload may be decided after looking deep in thepayload of the packet. The payload may include, for example, XML data,data base entries, or access queries for confidential data. Packetsfound with a high level of security classification may then be sent forinitial data collection. Some of the data collected may include thesource IP and destination IP addresses of the packet. The servers 160 ₁and 160 ₂ (referred to collectively as servers 160) or VMs 165 ₁, 165 ₂,165 ₃, 165 ₄, and 165 ₅, (referred to collectively as VMs 165)corresponding to those IP addresses may be classified as permitted toexchange confidential data and hence may be identified to be groupedinto a potentially secure server or group of servers. When servers 160or VMs 165 are classified as qualifying for a secure group, theclassifications may be provided to a central virtual switching modulecontroller 155 to take actions. The virtual switching module controller155 may sometimes be referred to simply as controller 155. The virtualswitching module controller 155 may be on a server 150 that may beoutside the network 105 however in some embodiments, it may be withinthe network 105.

The ACL module 230 may be configured to work based on the various fields(tuples) in layer2, layer3, and/or layer4 protocol headers. The numberof ACL entries may be created in an ACL table. The entries may be boundto one or more virtual ports. Each ACL entry may have one or moreactions associated with it. The actions may be user selectable.

The ACL module 230 functionality may be extended to look into the layer7level. The ACLs may thus be able to identify packets that use certaintransport level ports, certain XML types of queries inside theapplication level payload, etc. As may be appreciated, this capabilitymay be important to trap packets and forward them for different actions.The ACL module 230 may also be extended to have a new action named“FW_TO_SEC_EXT” which may be attached to packets to forward the packetsto the security extension module 240.

The security extension module 240 may provide a set of securityapplications. For example, the security extension module 240 may provideanalysis of packets and flows which are sent to it by the ACL module230. The analysis may include deep packet inspection in which theapplication layer packet payload may be identified and classified perapplication. The security extension module 240 may identify details suchas XML queries or responses, data associated with XML queries orresponses, the confidentiality level of such data, and theclassification of such data. The security extension module 240 may mapwhich network processing elements 103 may be processing sensitiveinformation. Based on the classification of data, the security extensionmodule 240 may create a list where each entry may contain the followinginformation regarding the source and destinations of the classifiedpacket flows.

  SecureVMTableEntry {Source IP Address; /* VM in the data center oroutside the data center. */     Destination IP Address; /* VM in thedata center. */     Application Id; /* Application e.g. FTP, SMTP, SQLData base access, etc. */     Data Classification; /* SSN, Credit CardData (CCD), HIPPA, FINA, etc */     Classification Level; /* Securitylevel of such transaction. 0-7 */     Action_Src_Req; /* Actionsuggested on the source VM. i.e. move to secure zone */    Action_Dst_Req; /* Action suggested on the destination VM. i.e. moveto secure zone */     Misc.};

The information associated with VMs 165 may be forwarded to thecontroller 155 for a number of actions. For example, the controller 155may take note of the information and presents it to the networkadministrator or data center administrator with details. Theadministrator may adjust the VMs' 165 policies and provide security toVMs 165 requiring protection for sensitive information. For example, theadministrator may determine that the VM 165 ₂ and the VM 165 ₃ may beprocessing sensitive information. The VM 165 ₂ and VM 165 ₃ may bere-classified as needing higher security and may be moved to more securezones or may be segregated with other VMs 165 with the same securityclassification level under one zone. For example, VM 165 ₂ and VM 165 ₃may be moved from server 160 ₁ and segregated into a secure server group170 (which includes VM 165 ₄ and VM 165 ₅) on server 160 ₂, thus makingthe data center more secure. Other VMs (for example, VM 165 ₆ on server160 ₃) who interact with VM 165 ₂ and VM 165 ₃ for information may alsobe moved along with VM 165 ₂ and VM 165 ₃ into the secure server group170. While the foregoing has been described in the context of VMs 165moving from one server 160 to another server 160, in some embodiments,the segregated virtual machines may span more than one server 160.Referring to FIG. 6A for example, VMs 165 needing higher security may bemoved into a closed user group (CUG) network 107. A CUG network 107 mayinclude only VMs 165 and servers 160 authorized with a heightened levelof security. The CUG network 107 may include one or more servers 160(shown as servers 160 ₄ and 160 ₅). VMs 165 ₂ through VM 165 ₆ may bemoved freely between servers 160 ₄ and 160 ₅ within the CUG network 107.However access to members of the CUG network 107 may require permissionsthat may be predetermined by, for example, the administrator.

The controller 155 may automate processes where a quick action may betaken in response to the report from the security extension module 240.The action may include moving all the associated VMs 165 from onephysical server 160 to another server 160 depending upon the securitylevel of the data handled, altering the network policies and firewallrules in those virtual switching modules and other such actions whichmakes the data center more secure. Thus, servers 160 or VMs 165processing network traffic that does not include sensitive informationneed not interact with servers 160 or VMs 165 processing sensitiveinformation.

Referring now to FIG. 7, a method 300 of securing a network is shownaccording to an exemplary embodiment of the present invention. Thecontroller may identify (310) one or more network processing elementsprocessing network traffic. The controller may analyze (320) packetspassing through the identified network processing elements for sensitiveinformation. The controller may classify (330) selected members of theidentified network processing elements as elements processing sensitiveinformation. The controller may move (340) the classified selectedmembers into a group of secure network processing elements. Thecontroller may move (350) network processing elements that interact withclassified members into the secure group.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof code, which comprises one or more executable instructions forimplementing the specified logical function(s). It should also be notedthat, in some alternative implementations, the functions noted in theblock may occur out of the order noted in the figures. For example, twoblocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagrams and/or flowchart illustration, andcombinations of blocks in the block diagrams and/or flowchartillustration, may be implemented by special purpose hardware-basedsystems that perform the specified functions or acts, or combinations ofspecial purpose hardware and computer instructions.

The terminology used herein is for the purpose of describing particularembodiments only and is not intended to be limiting of the invention. Asused herein, the singular forms “a”, “an” and “the” are intended toinclude the plural forms as well, unless the context clearly indicatesotherwise. It will be further understood that the terms “comprises”and/or “comprising,” when used in this specification, specify thepresence of stated features, integers, steps, operations, elements,and/or components, but do not preclude the presence or addition of oneor more other features, integers, steps, operations, elements,components, and/or groups thereof.

The corresponding structures, materials, acts, and equivalents of allmeans or step plus function elements in the claims below are intended toinclude any structure, material, or act for performing the function incombination with other claimed elements as specifically claimed. Thedescription of the present invention has been presented for purposes ofillustration and description, but is not intended to be exhaustive orlimited to the invention in the form disclosed. Many modifications andvariations will be apparent to those of ordinary skill in the artwithout departing from the scope and spirit of the invention. Theembodiment was chosen and described in order to best explain theprinciples of the invention and the practical application, and to enableothers of ordinary skill in the art to understand the invention forvarious embodiments with various modifications as are suited to theparticular use contemplated.

What is claimed is:
 1. A computer implemented method of securing anetwork, comprising: identifying, using one or more processors of acomputing device, one or more network processing elements that areprocessing network traffic; analyzing, using the one or more processorsof the computing device, for sensitive information, packets passingthrough the identified network processing elements to determine asecurity classification level of one or more identified networkprocessing elements; classifying, using the one or more processors ofthe computing device, selected members of the one or more identifiednetwork processing elements as elements processing sensitive informationbased on a determined security classification level; and moving eachclassified selected member into a respective closed user group (CUG) ofthe one or more network processing elements based on the determinedsecurity classification level.
 2. The method of claim 1, includingsegregating the classified selected members from other identifiednetwork processing elements.
 3. The method of claim 1, including movingone or more of the network processing elements that interact with theclassified selected members for information into the secure group withthe classified selected members.
 4. The method of claim 1, wherein thenetwork processing elements are servers.
 5. The method of claim 1,wherein the network processing elements are virtual machines.